> From: owner-openssl-us...@openssl.org On Behalf Of Joerg Schmitz > Sent: Saturday, November 15, 2014 12:16
> I hope you can help me. I'm about to sign jar-files with a self created > certificate > using OpenSSL. The jar-File contains an old Java-Applet which Java is > blocking > (as long as it is not signed) in the browser since version 7.51. Once it is > signed, > I just have to install the certificate (in the system / browser / JRE). > Right now I have a problem signing the certification request (see below "Step > 7"): > "unable to load certificate". What do I have to change to pass this step? That's already answered. > In addition I am not sure about the further steps (which I also added below). > Could you pls also tell me if these are right? But as to the others: > 1.) Create folder structure cd test mkdir private certs newcerts conf export > csr > echo '01' > serial touch index.txt export > OPENSSL_CONF=/home/joerg/cacerts/myca/openssl.cnf Those are all run together and need to be separated, but are then reasonable. > 2.) Create the Certificate Authority > openssl req -new -x509 -days 3650 -keyform PEM -outform PEM > -keyout test/private/cakey.pem -out test/cacert.pem By default req -new -x509 is only valid for 30 days. If you want your apps to last longer than that, choose a suitably longer period in days. You use 365 for the child cert below, and the CA needs to be at least that long. Since you need to install any reissued root cert in each client, you probably want to make it longer like 5 or 10 years as long as you're confident you will keep your privatekey secure and noone else can get at it to create unauthorized certs and thus apps. > 3.) Copy the CA into a format which can be managed by the Java-keystore: > openssl x509 -outform der -in test/cacert.pem -out test/cacert.crt Not needed. keytool has been able to read cert in PEM a long time. (The API for a *program* doesn't, or not easily, but keytool does.) > 4.) Generate Keystore > keytool -genkey -keystore javakeystore.jks -alias test Create keystore *and generate privatekey*. > 5.) Check Keystore > keytool -list -keystore javakeystore.jks -storepass "whatever" <snip> > 6.) Create certification request > keytool -certreq -v -file test/certs/caRequest.csr -alias "test" -keystore > javakeystore.jks -storepass "whatever" > 7.) Sign the certificate with the CA > openssl ca -days 365 -in test/certs/caRequest.csr -out > test/newcerts/caRequest.pem -policy policy_anything <snip error, see other answer> > My plan is to continue like this: > 8.) > openssl x509 -in test/newcerts/caRequest.pem -out test/newcerts/caRequest.pem > -outform PEM > 9.) > openssl x509 -outform der -in test/newcerts/caRequest.pem -out > test/newcerts/caRequest.crt Not needed. Current Java (7 or 8) keytool can read PEM even with the comments 'ca' adds. > 10.) Concatenate the certificate chain > cat test/newcerts/caRequest.pem test/cacert.pem > > test/newcerts/caRequest.chain Not needed if you separately load the one-and-only CA cert as you do. > 11.) Indicate that I trust this CA > keytool -import -trustcacerts -file test/cacert.pem -alias test -keystore > javakeystore.jks -storepass "whatever" On this step the -alias must NOT MATCH your privatekey entry which is 'test'. Maybe 'myroot'. -trustcacerts is not relevant here, only when importing *some* child certs. > 12.) Import it into your keystore > keytool -import -file test\newcerts\caRequest.chain -alias test1 -keystore > javakeystore.jks -storepass "whatever" This step must be -alias test to MATCH the privatekey entry. > 13.) Sign jar file > jarsigner -keystore javakeystore.jks TestApplet.jar test ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
